mirror of
https://github.com/zeek/zeek.git
synced 2025-10-06 16:48:19 +00:00
42 lines
1.2 KiB
Text
42 lines
1.2 KiB
Text
# $Id: tm-ftp.bro,v 1.1.2.1 2006/01/04 03:55:48 sommer Exp $
|
|
#
|
|
# For sensitive FTP connections, request the data connection from the TM.
|
|
# When we get it, we store the reassembled payload and run the file-analyzer
|
|
# (the latter is automatically done by ftp.bro).
|
|
|
|
@load time-machine
|
|
@load tm-contents
|
|
@load ftp
|
|
|
|
module TimeMachineFTP;
|
|
|
|
global data_conns: table[count] of conn_id;
|
|
|
|
event ftp_sensitive_file(c: connection, session: FTP::ftp_session_info,
|
|
filename: string)
|
|
{
|
|
if ( is_external_connection(c) )
|
|
return;
|
|
|
|
if ( session$id !in data_conns )
|
|
# Should not happen, as transfer parameters need to be
|
|
# negotiated first. We let ftp.bro deal with this, though.
|
|
return;
|
|
|
|
local id = data_conns[session$id];
|
|
TimeMachine::save_contents(fmt("ftp.%s", session$id), c, T, "tm-ftp");
|
|
}
|
|
|
|
event ftp_connection_expected(c: connection, orig_h: addr, resp_h: addr,
|
|
resp_p: port, session: FTP::ftp_session_info)
|
|
{
|
|
data_conns[session$id] =
|
|
[$orig_h=orig_h, $orig_p=0/tcp, $resp_h=resp_h, $resp_p=resp_p];
|
|
}
|
|
|
|
event connection_state_remove(c: connection)
|
|
&priority = 5 # to be called before FTP's handler
|
|
{
|
|
if ( c$id in FTP::ftp_sessions )
|
|
delete data_conns[FTP::ftp_sessions[c$id]$id];
|
|
}
|